A few days ago, folks showed their frustration on social networks when MCB Internet banking suffered from a downtime. I don’t know for how long the downtime lasted but during the weekend when I checked the facility was still unavailable. People were frustrated because it was end-of-month and many wanted balance inquiries.

Technical faults happen, maintenance plans go out-of-control, as sysadmins we’re aware of such situations. However, this time phishing attackers tried to benefit from the downtime. Some MCB customers received emails as follows:

The message was flagged as “spam” for obvious reasons. See the email address of the sender. However, the text that followed might have tempted people to visit and that’s where the real thing would happen.

Even though the URL is lame, the page could be convincing to some. Right?

Another thing that intrigues me is that the attack seems to be targeted towards “some” MCB customers, which means they must have got hold on the email addresses from somewhere. I don’t know of non-MCB customers receiving the email. If you’re a non-MCB customer out there who got this, please let me know. I’ll need some elements to fine-tune my observation.

Okies. So far, IT enthusiasts will find this a lame attack since the email wasn’t forged, the URL looks very ugly, and the overall page content depicts a lot of fake elements (fake links, poor image quality etc). However, some folks might fall for it as they would not be attracted towards those elements. They might recall there was a downtime & now maybe this is an important procedure.

Let’s have a look at the page source & see where the credentials are going.

 

They are being sent to the attacker through a form which is hosted at http://chrome888.bugs3.com/dodge/feedback.php. Let’s see the other contents there.

The file 3.html is supposed to be displayed once the person has submitted his/her login credentials; just to assure the person everything is fine.

That should be the victim’s “assurance” once he/she has been duped into giving out login credentials. Aww! They even put a link back to the real MCB website. How sweet of them (^^,) …

Fellow Mauritians, I said before, a lot of folks said before me, we’re saying it again, you have to be on guards when you’re online. Know what you do, what you click, what you post. This is happening with our local banks because of money. Tomorrow such things will happen with our other accounts on other local websites.